On Tue Jun 30, 2026 at 6:12 AM EDT, Yiyang Chen wrote: > bpf_arena_free_pages() accepts scalar arena addresses. The runtime > masks the address to the low 32 bits and reconstructs a full user > address from the arena base before returning the range to the arena > free tree. > > When the scalar value is below the low 32 bits of the arena base, > full_uaddr falls below user_vm_start. The existing upper-end clipping > then turns this into an out-of-range free-tree offset. A later > allocation can reuse that offset and return an address below the arena > mapping. >
This seems reasonable, my understanding is that this happens because neither arena start nor end actually has to be aligned at a 4GiB boundary, while the underlying kernel mapping does span the full 32 bits. AFAICT this bug returns an address that is not actually mapped into userspace and is inaccessible from it, correct? If the above is correct, feel free to add: Reviewed-by: Emil Tsalapatis <[email protected]> > Reject such frees before computing the clipped range. > > Fixes: 317460317a02a ("bpf: Introduce bpf_arena.") > Signed-off-by: Yiyang Chen <[email protected]> > --- > kernel/bpf/arena.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c > index 49a8f7b1beef5..e28e83bed8c51 100644 > --- a/kernel/bpf/arena.c > +++ b/kernel/bpf/arena.c > @@ -693,6 +693,8 @@ static void arena_free_pages(struct bpf_arena *arena, > long uaddr, long page_cnt, > uaddr &= PAGE_MASK; > kaddr = bpf_arena_get_kern_vm_start(arena) + uaddr; > full_uaddr = clear_lo32(arena->user_vm_start) + uaddr; > + if (full_uaddr < arena->user_vm_start) > + return; > uaddr_end = min(arena->user_vm_end, full_uaddr + (page_cnt << > PAGE_SHIFT)); > if (full_uaddr >= uaddr_end) > return;

